acme: delete ACME RA account on server uninstall

For each CA server, a Dogtag user account is created for the ACME
service to use to authenticate to the CA subsystem.  This commit
cleans up the Dogtag account upon server uninstallation.

The user deletion behaviour is extracted to a common method used for
both ACME RA account deletion (on uninstall) and removal of the
temporary admin account (during replica install).

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

ipaserver/install/server/install.py

@@ -40,7 +40,7 @@ from ipaserver.install import (
     adtrust, bindinstance, ca, dns, dsinstance,
     httpinstance, installutils, kra, krbinstance,
     otpdinstance, custodiainstance, replication, service,
-    sysupgrade)
+    sysupgrade, cainstance)
 from ipaserver.install.installutils import (
     IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address,
     is_ipa_configured, load_pkcs12, read_password, verify_fqdn,
@@ -319,6 +319,19 @@ def remove_master_from_managed_topology(api_instance, options):
         logger.warning("Failed to delete master: %s", e)
 
 
+def cleanup_dogtag_server_specific_data():
+    """
+    There are data in Dogtag database related to specific servers.
+    Some of these data should be left alone, e.g. range assignments.
+    Some of these data should be cleaned up; that's what this
+    subroutine does.
+
+    """
+    # remove ACME user
+    acme_uid = cainstance.CAInstance.acme_uid(api.env.host)
+    cainstance.CAInstance.delete_user(acme_uid)
+
+
 @common_cleanup
 def install_check(installer):
     options = installer
@@ -1103,6 +1116,8 @@ def uninstall_check(installer):
 
         ca.uninstall_check(options)
 
+        cleanup_dogtag_server_specific_data()
+
         if domain_level == DOMAIN_LEVEL_0:
             rm = replication.ReplicationManager(
                 realm=api.env.realm,